Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unusual infection

  • Please log in to reply
No replies to this topic

#1 Edward Shryock

Edward Shryock

  • Members
  • 1 posts
  • Local time:09:52 AM

Posted 20 December 2010 - 11:39 AM

I no longer have the computer in my shop. Had to let it leave after I took care of the infection.

It had a few things that were removed, but one that confused me was a lone .dat file in the ProgramData directory. Even after running MalwareBytes, etc., it still was spawning iexplore.exe processes. If I managed to get one to come forward, it was showing that it was going to 'clickpassive.org', etc.

I saved the file that I removed. I ran it through virustotal, only Norman and Sophos see anything, and their detections are, as expected anymore, not consistent with each other.

What gets me about it, however, is that nowhere in the registry or windows\tasks or windows\system32\tasks folder does the name of the file show up. I removed the file, and I was no longer getting iexplore.exe processes spawning.

I have uploaded it to my webserver, for examination by others here.


This is not a directly executable file, so I didn't bother to neuter it in any way.

My question is, where can this file be called, if not from the registry or scheduled tasks?

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users